Cisco ASA5505 logging
This is probably a very basic question...
I have a new Cisco ASA5505 and I'm seeing newspapers at the level of the console. Currently when I make a record sh I just get the below. I expect, or I saw on messages system other PIX / ASA.
Any ideas on what command I need to run in order to allow these messages?
mipsasa01 # sh logging
Syslog logging: enabled
Installation: 20
Logging timestamp: disabled
Logging shall: disabled
Refuse the Conn which full queue: disabled
Recording console: disabled
Monitor logging: disabled
Logging buffer: disabled
Logging trap: disabled
A history record: disabled
Device ID: disabled
Logging of mail: disabled
Logging ASDM: informational level, 7108 messages saved
The "journal to see the" displays what is called the journal of the buffer. The registration of your buffer is disabled. Use cmd "logging buffered stored" config to activate it. You can adjust the size of the buffer with "logging buffer-size '. I think that buffer memory space is allocated in memory, so don't go overboard.
http://www.Cisco.com/en/us/docs/security/ASA/asa80/command/reference/L2.html#wp1729451
Tags: Cisco Security
Similar Questions
-
Cisco ASA5505 with double tis + IPSEC
Hello guys,.
I have problem with double ISP + IPSEC on my cisco ASA5505 dry more license.
Routing works OK (to connect to the Internet from siteA is work trought
1 also second ISP) but IPSEC works trought just the first
INTERNET SERVICE PROVIDER! There seemt that phase 1 and 2 of the Protocol IPSEC is correct but the packages
Encrypt just but no not decryption. You have an idea what is the problem?
I try to ping from the (PC - 10.4.1.66) siteA siteB (PC - 10.3.128.50)
Thank you
config site A:
##########################################################################
ASA5505 Version 8.2 (1)
interface Vlan1
nameif inside
security-level 100
IP 10.4.1.65 255.255.255.248
!
interface Vlan2
nameif outside
security-level 0
IP 192.168.1.2 255.255.255.0
!
interface Vlan3
internet nameif
security-level 0
IP address 212.89.235.yy 255.255.255.248
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 3
outside_cryptomap list extended access allow icmp 10.4.1.64 255.255.255.248 10.3.128.0 255.255.255.0
10.4.1.64 IP Access-list extended sheep 255.255.255.248 allow 10.3.0.0 255.255.0.0
10.4.1.64 IP Access-list extended sheep 255.255.255.248 allow 10.16.0.0 255.255.0.0
access inside extended ip permit list an entire
extended permitted inside a whole icmp access list
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
Internet MTU 1500
no failover
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 621.bin
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
Global interface (internet) 1
NAT (inside) 0 access-list sheep
NAT (inside) 1 10.4.1.64 255.255.255.248
Access-group internet_in in interface outside
internet_in group to access the Web interface
Route outside 0.0.0.0 0.0.0.0 192.168.1.1 1 track 1
Internet route 0.0.0.0 0.0.0.0 212.89.235.yy 254
Server enable SNMP traps snmp authentication linkup, linkdown cold start
monitor SLA 123
interface type echo protocol ipIcmpEcho 212.89.229.xx outdoor
NUM-package of 3
frequency 10
Annex ALS life monitor 123 to always start-time now
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
3600 seconds, duration of life crypto ipsec security association
Crypto ipsec kilobytes of life - safety 4608000 association
card crypto outside_map0 1 match address outside_cryptomap
card crypto outside_map0 1 set 212.89.229.xx counterpart
outside_map0 card crypto 1jeu transform-set ESP-AES-256-SHA
outside_map0 map 1 lifetime of security association set seconds 28800 crypto
card crypto outside_map0 1 set security-association life kilobytes 4608000
card crypto game 2 outside_map0 address outside_cryptomap_1
outside_map0 interface card crypto outside
outside_map0 card crypto internet interface
ISAKMP crypto identity hostname
crypto ISAKMP allow outside
crypto ISAKMP enable internet
crypto ISAKMP policy 3
preshared authentication
aes-256 encryption
sha hash
Group 2
life 300
!
track 1 rtr 123 accessibility
Telnet 10.4.1.64 255.255.255.248 inside
Telnet timeout 1440
SSH 10.4.1.64 255.255.255.248 inside
SSH 212.89.229.xx 255.255.255.255 outside
SSH timeout 60
SSH version 2
Console timeout 0
management-access inside
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
NTP server 194.160.23.2 source outdoors
WebVPN
attributes of Group Policy DfltGrpPolicy
Protocol-tunnel-VPN IPSec l2tp ipsec
username xx
tunnel-group 212.89.229.xx type ipsec-l2l
212.89.229.XX group of tunnel ipsec-attributes
pre-shared-key *.
siteA # sh crypto isakmp his d
ITS enabled: 1
Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
Total SA IKE: 1
1 peer IKE: 212.89.229.xx
Type: L2L role: initiator
Generate a new key: no State: MM_ACTIVE
Encryption: aes - 256 Hash: SHA
AUTH: preshared to life: 300
Remaining life: 91
# sh crypto ipsec siteA his
Interface: internet
Tag crypto map: outside_map0, seq num: 1, local addr: 212.89.235.yy
outside_cryptomap list of access allowed icmp 10.4.1.64 255.255.255.248 10.3.128.0 255.255.255.0
local ident (addr, mask, prot, port): (10.4.1.64/255.255.255.248/1/0)
Remote ident (addr, mask, prot, port): (10.3.128.0/255.255.255.0/1/0)
current_peer: 212.89.229.xx
program #pkts: 7, #pkts encrypt: 7, #pkts digest: 7
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 7, comp #pkts failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#send errors: 0, #recv errors: 0
local crypto endpt. : 212.89.235.115, remote Start crypto. : 212.89.229.2
Path mtu 1500, fresh ipsec generals 74, media, mtu 1500
current outbound SPI: 2A9B550B
SAS of the esp on arrival:
SPI: 0xCF456F65 (3477434213)
transform: aes-256-esp esp-sha-hmac no compression
running parameters = {L2L, Tunnel}
slot: 0, id_conn: 32768, crypto-card: outside_map0
calendar of his: service life remaining (KB/s) key: (4374000/28629)
Size IV: 16 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001
outgoing esp sas:
SPI: 0x2A9B550B (714822923)
transform: aes-256-esp esp-sha-hmac no compression
running parameters = {L2L, Tunnel}
slot: 0, id_conn: 32768, crypto-card: outside_map0
calendar of his: service life remaining (KB/s) key: (4373999/28629)
Size IV: 16 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001
# sh logging asdm siteA | I have 10.3.128.50
6. 19 sep 2011 10:27:37 | 302020: built outgoing ICMP connection for faddr gaddr laddr 10.4.1.66/1024 10.4.1.66/1024 10.3.128.50/0
6. 19 sep 2011 10:27:39 | 302021: connection of disassembly ICMP for faddr gaddr laddr 10.4.1.66/1024 10.4.1.66/1024 10.3.128.50/0
config site B:
##########################################################################
ASA 5510 Version 8.0 (4)
interface Ethernet0/0
nameif outside
security-level 0
IP address 212.89.229.xx 255.255.255.240
OSPF cost 10
interface Ethernet0/1.10
VLAN 10
nameif users
security-level 50
IP 10.3.128.0 255.255.255.0
10.3.128.0 IP Access-list extended siteA 255.255.255.0 allow 10.4.1.64 255.255.255.248
Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
3600 seconds, duration of life crypto ipsec security association
Crypto ipsec kilobytes of life - safety 4608000 association
outside_map crypto card 9 matches the address SiteA
card crypto outside_map 9 peers set 212.89.229.xx
card crypto outside_map 9 game of transformation-ESP-AES-256-SHA
life card crypto outside_map 9 set security-association seconds 28800
card crypto outside_map 9 set security-association life kilobytes 4608000
outside_map crypto 10 card matches the address SiteA
card crypto outside_map 10 peers set 212.89.235.yy
outside_map crypto 10 card value transform-set ESP-AES-256-SHA
life safety association set card crypto outside_map 10 28800 seconds
card crypto outside_map 10 set security-association life kilobytes 4608000
crypto ISAKMP policy 20
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
tunnel-group 212.89.229.xx type ipsec-l2l
212.89.229.XX group of tunnel ipsec-attributes
pre-shared-key *.
tunnel-group 212.89.235.yy type ipsec-l2l
212.89.235.yy group of tunnel ipsec-attributes
pre-shared-key *.
SiteB # sh crypto isakmp his d
HIS active: 7
Generate a new key SA: 1 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
Total SA IKE: 8
8 peer IKE: 212.89.235.115
Type: L2L role: initiator
Generate a new key: no State: MM_ACTIVE
Encryption: aes - 256 Hash: SHA
AUTH: preshared to life: 300
Remaining life: 245
# Sh crypto ipsec SiteB his | b 212.89.235.yy
current_peer: 212.89.235.yy
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
decaps #pkts: 12, #pkts decrypt: 12, #pkts check: 12
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, comp #pkts failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#send errors: 0, #recv errors: 0
local crypto endpt. : 212.89.229.xx, remote Start crypto. : 212.89.235.yy
Path mtu 1500, fresh ipsec generals 74, media, mtu 1500
current outbound SPI: CF456F65
SAS of the esp on arrival:
SPI: 0x2A9B550B (714822923)
transform: aes-256-esp esp-sha-hmac no compression
running parameters = {L2L, Tunnel}
slot: 0, id_conn: 4378624, crypto-card: outside_map
calendar of his: service life remaining (KB/s) key: (3914999/27310)
Size IV: 16 bytes
support for replay detection: Y
Anti-replay bitmap:
0 x 00000000 0x00001FFF
outgoing esp sas:
SPI: 0xCF456F65 (3477434213)
transform: aes-256-esp esp-sha-hmac no compression
running parameters = {L2L, Tunnel}
slot: 0, id_conn: 4378624, crypto-card: outside_map
calendar of his: service life remaining (KB/s) key: (3915000/27308)
Size IV: 16 bytes
support for replay detection: Y
# sh logging asdm siteB. I have 10.4.1.66
6. 19 sep 2011 10:29:49 | 302021: connection of disassembly ICMP for faddr gaddr laddr 10.3.128.50/0 10.3.128.50/0 10.4.1.66/1024
6. 19 sep 2011 10:29:50 | 302020: built ICMP incoming connections for faddr gaddr laddr 10.3.128.50/0 10.3.128.50/0 10.4.1.66/1024
I'm glad that this answer to your question, feel free to mark the post as answered and the rate of useful messages
Good day.
-
Hi all
Checked the POST on an ASA5505 (9.1 (3)) one it shows 2 Gigabit NIC:
Total network cards found: 10
88E6095 rev 2 Gigabit Ethernet @ index 09 MAC: 0000.0003.0002
88E6095 rev 2 Ethernet @ index 08 MAC: 885a.92d9.f938
88E6095 rev 2 Ethernet @ index 07 MAC: 885a.92d9.f937
88E6095 rev 2 Ethernet @ index 06 MAC: 885a.92d9.f936
88E6095 rev 2 Ethernet @ index 05 MAC: 885a.92d9.f935
88E6095 rev 2 Ethernet @ index 04 MAC: 885a.92d9.f934
88E6095 rev 2 Ethernet @ index 03 MAC: 885a.92d9.f933
88E6095 rev 2 Ethernet @ index 02 MAC: 885a.92d9.f932
88E6095 rev 2 Ethernet @ index 01 MAC: 885a.92d9.f931
y88acs06 Gigabit Ethernet rev16 @ index MAC 00: 885a.92d9.f939
Is there a Gigabit licenses on the roadmap?
Kind regards
Norbert
Hello
I doubt that it has nothing to do with subsequent changes, as the device is specced for only 150Mbps throughput.
I saw Cisco release any model replacement, even if I asked a few times.
I think that 2 GigabitEthernet interfaces refer to the internal-Data0 and Data1 internal interfaces
It is the output of my own ASA
The internal-Data0/0 interface ' ' is in place, line protocol is up
The material is y88acs06, BW 1000 Mbit/s, 10 DLY usec
(Full-duplex), (1000 Mbps)
Internal-Data0/1 interface ' ' is in place, line protocol is up
The material is 88E6095, BW 1000 Mbit/s, 10 DLY usec
(Full-duplex), (1000 Mbps)
Also, here is a picture of a Cisco Live! presentation on the architecture of the ASA5505 model (click to enlarge)
Hope this helps
-Jouni
-
Configuration VPN Cisco ASA5505 new 800
I have 2 office buildings using routers Cisco 800 series with a L2L VPN between the two. I'm upgrading from the router to an ASA5505 at one of the offices but cannot understand the L2L VPN on the SAA. Specifically, may not know how to set the pre-shared key. On the Cisco 800 there:
ISAKMP crypto key
address This doesn't seem to work on the SAA. Can anyone help this? Here is my current config on the Cisco 800...
crypto ISAKMP policy 10
BA 3des
md5 hash
preshared authentication
Group 2
ISAKMP crypto key
address !
!
Crypto ipsec transform-set esp-3des esp-md5-hmac DUMAC3
Crypto ipsec df - bit clear
!
MYmap 10 ipsec-isakmp crypto map
defined by peer 75.148.153.217
Set security-association second life 36000
game of transformation-DUMAC3
match address 101
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.7.0 0.0.0.255
in your crypto-maps, the '10' and '65535' are the sequence numbers. A CM handset might look like this:
address for correspondence primaryisp_map 10 101 crypto card
peer set card crypto primaryisp_map 10 99.119.80.165
primaryisp_map 10 set transform-set DUMAC3 ikev1 crypto card
primaryisp_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
card crypto primaryisp_map interface primaryisp
-
Cisco ASA5505. Not available through the firewall identity web services
Hello, everyone!
Then put the puzzle patterns to ensure that users are connected using AD and went to the internet.
Given Cisco ASA 5505. On the domain controller expected agent AD (which says dc - up and customer - facing upwards), ASA quietly takes user connections.IP addresses on the network are distributed by DHCP, which is triggered on a domain controller.The essence of the problem is that, after the authentication of the user online falls after awhile. That is the user logged on to the computer, and then open the browser, open a few sites, then went 5-7 minutes of inactivity, and Internet is not available. Internet appears when the reconnection of the user at a certain time or the computer disable "LAN network connection" for 1 minute. You don't have to dig?
This configuration on the SAA as follows:
object-group user ACTIVE_ALLOW
user-group DCU\\CASA61_Allow
user DCU\User1
user DCU\User2access-list inside_access_in_1 extended permit ip object-group-user ACTIVE_ALLOW
192.168.1.0 255.255.255.0 any log debuggingaaa-server ADA protocol radius
ad-agent-mode
interim-accounting-update
reactivation-mode depletion deadtime 1
merge-dacl after-avpair
aaa-server ADA (inside) host dc61-01
key *****
radius-common-pw *****
no mschapv2-capable
aaa-server AD protocol ldap
reactivation-mode depletion deadtime 1
aaa-server AD (inside) host dc61-01
ldap-base-dn dc=DCU,dc=local
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=CISCOASA61,OU=Users_MC,dc=DCU,dc=local
server-type microsoft
user-identity domain DCU aaa-server AD
user-identity domain DC61-01 aaa-server AD
user-identity default-domain DCU
user-identity action domain-controller-down DCU disable-user-identity-rule
no user-identity action mac-address-mismatch remove-user-ip
no user-identity inactive-user-timer
user-identity logout-probe netbios local-system probe-time minutes 60 retry-interval seconds 5 retry-count 5 match-any
user-identity poll-import-user-group-timer hours 12
user-identity ad-agent active-user-database full-download
user-identity ad-agent aaa-server ADA
user-identity user-not-found enableAt this point, while writing this message here (20 min), 1 hour from the Internet threw.
Hello;
Remove the NetBios sensors and see if the problem goes away.
Mike.
-
CISCO ASA5505 ver8.2 PAT lifesize videoconferencing port
I just had a lifesize videoconferencing, my gateway is a Cisco ASA 5505 running version 8.2.1 and I only have a public/static IP Addresses.so how to install
TCP/udp ports before the range 60000 to 64999?Double post.
Go HERE.
-
refine for cisco device logging
Dear Netpro community,
I'm trying to tweak the AAA portion on the cisco device
Here is my current setup:
AAA new-model
AAA authentication login default local radius group
AAA authentication enable default group enable RADIUS
If the radius server is offline, the first level is not a problem. However, the problem occurs if I want to go to activate the mode. It will not use the enable password set locally, but instead he will go to and search radius for authentication server.
Debug:
test_switch > en
Password:
01:05:15: RADIUS: authentication using the $enab15$
01:05:15: RADIUS: ustruct sharecount = 1
01:05:15: RADIUS: pass on tty0 id 44 x.x.x.x:1812 initial, request for access,
Len 72
01:05:15: 4-6 AC10E10F attribute
01:05:15: 5 6 00000000 attribute
01:05:15: 61 6 00000000 attribute
01:05:15: assign 1 to 10 24656E61
01:05:15: assign 2 18 69ABFDF8
01:05:15: 00000006 6 6 attribute
01:05:20: RADIUS: retransmission id 44
01:05:25: RADIUS: retransmission id 44
01:05:30: RADIUS: retransmission id 44
Password:
01:05:35: RADIUS: marking x.x.x.x:1812, 1813-dead server
01:05:35: RADIUS: tried all servers.
01:05:35: RADIUS: no valid server found. Try any viable Server
01:05:35: RADIUS: tried all servers.
01:05:35: RADIUS: no response for id 44
01:05:35: RADIUS: no response from Server
Password %: timeout expired.
% Authentication failure.
How can I make sure that I can access the switch privilege mode if there is no path to the radius server?
It took 20 seconds of the original program:
01:05:15: RADIUS: pass on tty0 id 44 x.x.x.x:1812 initial, request for access,
Len 72
... with three broadcasts, until the server has been marked dead:
01:05:35: RADIUS: marking x.x.x.x:1812, 1813-dead server
Maybe you should mark a server RADIUS MIA as death more quickly, by setting a timeout of the RADIUS server (for example: 1 sec.).
for example:
RADIUS-server host aaa.bbb.ccc.ddd auth-port 1812 acct-port 1813 timeout 1 key xxxxxxxxxx
If the server is recognized as dead earlier (4S, broadcasts incl. 3) maybe it's possible to use the locally configured enable password before the "time-out of password occurs".
I do not say for sure that this will solve your problem, but I know I want to try it to find out.
-
Tunnel VPN between two Cisco ASA5505 drops every 15-30 minutes
authentication attempts but never reconnects. I have to restart the app
dence to back tunnel.
In syslogs, found the following:
2010-07-07 13:28:34 Local4.Notice 10.0.0.254: Jul 07 10:22:22 UTC: % ASA-vpn-5-713259: Group = 74.126.85.149, IP = 74.126.85.149, Session is be demolished. Reason: Service lost
2010-07-07 13:28:34 Local4.Warning 10.0.0.254: Jul 07 10:22:22 UTC: % ASA-auth-4-113019: Group = 74.126.85.149 username = 74.126.85.149, IP = 74.126.85.149, disconnected Session. Session type: IPsec, duration: 0 h: 36 m: 03 s, xmt bytes: 584567664, RRs bytes: 156692759, reason: Service lostDavid,
Indeed, this might be the reason.
Any chance you can apply some kind of formatting? (Comes from bad to worse ASA can do very decently, but only in the outbound direction AFAIR)
Marcin
-
Log InSight can work with Cisco Catalyst and Nexus devices?
Hi guys,.
someone at - it use Log Insight for catalyst devices and Nexus?
Yes, the Insight journal will work with all the unstructured data sent via the syslog Protocol. Support for devices Cisco remote log to a syslog destination shipping as newspaper Insight.
-
Cisco ASA 5505 VPN passthrough
Hello
@home i'f installed a Cisco asa 5505 because the provider has the modem cable in transparent mode. So I have the public IP address to my firewall.
Also for the training because we have in the work of the asa. So I have no feeling with her.
but sometimes I have to build a VPN session to a server at work. But I do not get a connection to the server. If I remove the ASA 5505, then the connection to the server of work is great. But if to ASA 5505 is back in its place. It does not log VPN to the outside world.
Could someone point me in the right direction?
It is possible to create a connection out to the Cisco ASA5505 VPN.
Thanks in advance
Greetings
Palermo
Hi Palermo,
You do not have to mention the type of VPN connection, you use.
If the PPTP protocol then you need to inspect the traffic for the SAA allow again from 'outside '. Try the following:
! class-map inspection_default match default-inspection-traffic ! policy-map global_policy class inspection_default inspect pptp ! service-policy global_policy global !
see you soon,
SEB.
-
Hello everyone,
I have problems to make IPsec VPN remote access work.
The goal is to be able to connect to our internal network from home or elsewhere.
When I try to connect to my home virtual private network, I will no further than Phase 1.
My architecture is a Cisco ASA5505 behind a router-modem router from ISP. The IP address of the modem is 192.168.1.1 for outside.
The IP address of the ASA is 192.168.1.254 for outdoor and 10.0.0.1 for indoors. I put the ASA in a demilitarized zone of the ISP modem to be able to reach it through the Internet (I wanted to use the ISP modem-router-bridge just as a simple gateway and handle other things with the ASA).
So my problem is that I can't seem to connect to the VPN through the public IP address.
Here is my config:
: Saved
:
ASA Version 8.2(5)
!
hostname Cisco-ASA-5505
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 192.168.1.254 255.255.255.0
!
ftp mode passive
clock timezone GMT 1
access-list NONAT extended permit ip 10.0.0.0 255.255.255.0 10.0.1.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPNpool 10.0.1.1-10.0.1.50
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
route inside 192.168.2.0 255.255.255.0 10.0.0.42 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set RA-TS esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map DYN-MAP 10 set transform-set RA-TS
crypto map VPN-MAP 30 ipsec-isakmp dynamic DYN-MAP
crypto map VPN-MAP interface outside
crypto isakmp enable outside
crypto isakmp policy 20
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 3600
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh 10.0.0.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd address 10.0.0.10-10.0.0.40 inside
dhcpd dns 81.253.149.9 80.10.246.1 interface inside
dhcpd update dns both override interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tftp-server inside 10.0.0.42 /srv/tftp/cisco-rtr-01-config
webvpn
username admin password 4RdDnLO1w2ilihWc encrypted
username test password zGOnThs6HPdiZhqs encrypted
tunnel-group testvpn type remote-access
tunnel-group testvpn general-attributes
address-pool VPNpool
tunnel-group testvpn ipsec-attributes
pre-shared-key *****
!
!
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:c3d233f44e742110aa0ce1f81173d47c
: end
My config to the client is attached.
When I look at what happened during the connectin with Wireshark, I see 'Port Unreachable '. I have to do something on my ISP router? Because I read that it is not necessary to use NAT if the device is in the demilitarized zone.
Can you help me please?
Because you have the address on your external interface, you will need to tell your router to forward traffic to ASA. So you can do NAT or port forward to ASA.
I guess you don't have a single address public IP assigned by your ISP.
Kind regards
Jan
-
How to change the ASA and ASDM on ASA5505 questioned once
Can anyone suggest the way to upgrade the software on the Cisco ASA5505 simultaneously both ASA and ASDM without trouble, like I just did?
Here is what happened. I copied the files asa821 - k8.bin and asdm - 621.bin for flash memory, then renamed the old versions like Oasa724 - k8.bin and Oasdm - 524.bin and then issued the command reload from the GUI of Windows.
Big mistake, I lost connectivity ASDM entirely and has been obliged to buy a USB to serial port adapter and plug the cable from port of CLI command so she can return to the unit. I found that he was running the kernel asa821 - k8.bin, as expected, but apparently the ASDM was still under the version 5.24.
Should I have created a new folder and moved the older versions of this file, then issued the command reload system and hope for the best?
I feel that I've defiled things upwards, I guess I have to use tftp to reload the boot image to get the ASA5505 back up again (using the ROMMON commands)
In fact, the only way that I was able to recover the GUI of Windows used start to asa724 image - k8.bin older command.
What is the right way to upgrade to new versions asa 8.2 (1) and asdm 6.2 (1)?
Really, I don't want to risk losing my ability to speak with this box and I spent an anxious afternoon yesterday, when I got to the pop-up message box "can not display the asdm manager."
======
After working with the CLI port, I noticed the following error:
Set of images of Manager devices, but unable to find disk0: / asdm - 524.bin
Out of config line 75, "asdm image disk0: / asdm-5...» »So apparently some configuration file must point to the correct asdm and just blindly change the files in the folder will NOT work.
========
After working more with the port of the CLI and the GUI of Windows port, I found that the 'asdm image' command did NOT work in the CLI software, but was apparently working in the GUI software, so I ran this command to tell the system to use the recent 6.21 on start.
After that and issuing the command reload of the CLI, I was able to set up successfully with the latest software of asa and asdm.
I would like to have access to CLI is valuable in this case.
I DON'T know why the command 'asdm image' appears inaccessible on the CLI port.
Any ideas?
As far as I'm concerned this problem has been resolved (using educated error)
The boot of the ASA when he tries to use the command 'system startup' file in the config. If it is not very well this file (it was not there because you renamed it), it starts the first image he will find...
However for ASDM ASA uses just the image you have. You were pointing to asdm5.2 and renamed, there was no valied ASDM image to use.
In other words you must have just changed the 'asdm image"and"system start"commands in the config and point to new files, save the configuration and restart and then it would have worked fine.
I hope it helps.
PK
-
Kit - Cisco WLC 2125 of mounting
It is said in the product for the wlc 2125, there is a mounting kit rack "for flexible deployment.
Can someone tell me please in the right direction on the part number?
Maybe it's the same for the ASA5505 kit, as the boxes appears to be somewhat identical... ?
-OCEAN
Hi Ocean,
Yes, it's a good piece I guessing the ASA 5505 and WLC 2100 must use the same chassis.
http://www.Cisco.com/en/us/docs/security/ASA/HW/maintenance/guide/procs.html#wp104420
Or this one kindly provided by Scott;
http://www.cablesandkits.com/Cisco-ASA5505-rack-mount-kit-p-1415.html
I hope this helps!
Rob -
ASA5505 with 10 users. Need to connect 25 remote users with AnyConnect Client
Hello to everyone.
I ASA5505 with license 10 users. I need to connect 25 remote users via SSL VPN (in my case cisco Anyconnect client). So I have to buy the license more security (ASA5505-SEC-PL =) for more then 10 simultaneous VPN connections on Cisco ASA 5505. Fix?
And the main question. What I need to order the user getting up-to-date (for example ASA5505-SW-10-50 =, or ASA5505-SW-10-UL =) license for my device Cisco ASA5505 in order to have 25 connections of concurrent remote users without restriction for each remote user?
You need the license SecPlus for increased remote access users. But you don't need an extra user license if you still only up to 10 internal systems.
-
ASA5505 SSL AnyConnect VPN and NAT Reverse Path failure
I worked on it for a while and just have not found a solution yet.
I have a Cisco ASA5505 Setup at home and I try to use the AnyConnect VPN client to it. I followed the example of ASA 8.x split Tunnel but still miss me something.
My home network is 10.170.x.x and I install the VPN address to 10.170.13.x pool I have a Windows workstation running at 10.170.0.6, printers 10.170.0.20 and 21 and inside the router itself is 10.170.0.1
I can connect from the outside and am assigned an IP address of 10.170.13.10, but when I try to access network resources via ICMP or open a web page, the newspaper of the ASDM shows a bunch of this:
5. January 27, 2010 | 10: 33:37 | 305013 | 10.170.255.255 | 137. Asymmetrical NAT rules matched for flows forward and backward; Connection for udp src outside:10.170.13.10/137 dst inside:10.170.255.255/137 refused due to path failure reverse that of NAT
5. January 27, 2010 | 10: 33:36 | 305013 | 10.170.255.255 | 137. Asymmetrical NAT rules matched for flows forward and backward; Connection for udp src outside:10.170.13.10/137 dst inside:10.170.255.255/137 refused due to path failure reverse that of NAT
5. January 27, 2010 | 10: 33: 35 | 305013 | 10.170.255.255 | 137. Asymmetrical NAT rules matched for flows forward and backward; Connection for udp src outside:10.170.13.10/137 dst inside:10.170.255.255/137 refused due to path failure reverse that of NAT
5. January 27, 2010 | 10: 33:34 | 305013 | 10.170.0.6 | Asymmetrical NAT rules matched for flows forward and backward; Connection for icmp src, dst outside: 10.170.13.10 inside: 10.170.0.6 (type 8, code 0) rejected due to the failure of reverse path of NAT
5. January 27, 2010 | 10:33:30 | 305013 | 10.170.255.255 | 137. Asymmetrical NAT rules matched for flows forward and backward; Connection for udp src outside:10.170.13.10/137 dst inside:10.170.255.255/137 refused due to path failure reverse that of NAT
5. January 27, 2010 | 10: 33:29 | 305013 | 10.170.255.255 | 137. Asymmetrical NAT rules matched for flows forward and backward; Connection for udp src outside:10.170.13.10/137 dst inside:10.170.255.255/137 refused due to path failure reverse that of NAT
5. January 27, 2010 | 10: 33:28 | 305013 | 10.170.255.255 | 137. Asymmetrical NAT rules matched for flows forward and backward; Connection for udp src outside:10.170.13.10/137 dst inside:10.170.255.255/137 refused due to path failure reverse that of NAT
5. January 27, 2010 | 10: 33:28 | 305013 | 10.170.0.6 | Asymmetrical NAT rules matched for flows forward and backward; Connection for icmp src, dst outside: 10.170.13.10 inside: 10.170.0.6 (type 8, code 0) rejected due to the failure of reverse path of NAT
5. January 27, 2010 | 10:33:23 | 305013 | 10.170.0.6 | Asymmetrical NAT rules matched for flows forward and backward; Connection for icmp src, dst outside: 10.170.13.10 inside: 10.170.0.6 (type 8, code 0) rejected due to the failure of reverse path of NAT
5. January 27, 2010 | 10:33:17 | 305013 | 10.170.0.6 | Asymmetrical NAT rules matched for flows forward and backward; Connection for icmp src, dst outside: 10.170.13.10 inside: 10.170.0.6 (type 8, code 0) rejected due to the failure of reverse path of NAT
5. January 27, 2010 | 10: 33: 13 | 305013 | 10.170.0.6 | Asymmetrical NAT rules matched for flows forward and backward; Connection for icmp src, dst outside: 10.170.13.10 inside: 10.170.0.6 (type 8, code 0) rejected due to the failure of reverse path of NAT
5. January 27, 2010 | 10:33:07 | 305013 | 10.170.0.6 | Asymmetrical NAT rules matched for flows forward and backward; Connection for icmp src, dst outside: 10.170.13.10 inside: 10.170.0.6 (type 8, code 0) rejected due to the failure of reverse path of NATI tried several things with NAT, but were not able to go beyond that. Does anyone mind looking at my config running and help me with this? Thanks a bunch!
-Tim
Couple to check points.
name 10.17.13.0 UFP-VPN-pool looks like it should be the name 10.170.13.0 UFP-VPN-pool
inside_nat0_outbound to access extended list ip allow list zero 255.255.0.0 255.255.255.0 UFP-VPN-pool
Looks like that one
inside_nat0_outbound to list extended ip access list zero UFP-VPN-pool 255.255.255.0 255.255.255.0 allow
Maybe you are looking for
-
How do you get the messages deleted on your iPhone to automatically remove on your iWatch?
-
I, am, deleted, fingerprints, add, new, fingerprints, but, not, add, sow, message, your, finger, reeds
-
Your updates is enabled automatically today. Since that time, active newlinks open in a new TABBut... I can be more open to the top of the next TAB manually so that I can open a URL myself. This bug caused this and how long it will be mtake to fix it
-
Satellite L755 - 1HW screen covered bulk green / missing graphics card
Satellite L755 - 1HWPart number: PSK1WE 0U0009EN I recently bought a Satellite L755 with integrated nVidia graphics card. The screen had recently pink/green tint everything except a cm Strip flooring upstairs. This makes it impossible to tell the dif
-
How to pass the Satellite Pro A120 adapter?
My laptop runs on the battery, but now it is only 3%.I get a message to pass to an electrical outlet? I don't know how to do this?The AC power led is off. Help! This is a new laptop.